Home Server Projects
The best servers are those that don't appear to be servers at all.
Friday 14 August 2009, 3:48 AM
A Not-so-Stupid Nerd Trick in Windows XP Pro
or “How to Drive Someone Batty with Windows”
Basically setting up a custom User Shell has been fairly well documented. It takes changes to 2 registry keys, one in HK_Current_User and the other in HK_Local_Machine. The Local_Machine key opens up Pandora's box and the Current_User key puts something in the box. I would suggest that the User account be a Limited Account, not an Administrator.
First log-on as the intended victim, uhh make that User and open Regedit.exe and change HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” value to an executable BATCH file. This entry must be a RZ or a single string and must contain the full path if its not on the User's path variable. So something like this: “c:\folder name\surprise.bat”. The use of double quotes is suggested for paths that include folder names with spaces.
Surprise.bat can be any executable you would like to drive the User crazy with.
A one line batch file is all you need like:
cmd /c “c:\folder name\surprise.exe”
Make sure to put whatever command line options you need inside the right-hand quotes. The batch file can be as long and complicated as necessary. Just make sure that all of the executables and other files necessary are where the batch file says they are. Once the batch file starts, the usual Control-Alt-Delete doesn't work. Control C will sometimes stop the program BUT it goes right back to the beginning and begins again.
Now log off and log-on again as an Administrator.
Now what makes it nuts is to set the System to allow custom shells. Start Regedit again, go to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\System.ini\boot\shell
Change the Value to be:
USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note that the string value starts with USR:Software.
Reboot and let the fun begin.
Every time the vic---User logs on, the program in the batch file starts. Every time the user manages to stop the program, it restarts. The magic cookie is the Batch file. Since the system considers a batch file to be part of the cmd shell it executes it. When the program is stopped it returns to the registry to restart the shell. Which is the batch file that just got terminated. This same behavior is what restarts Explorer when you've stopped the Explorer process in the Task Manager window or more likely it blows up all by itself.
This has some really nice properties for programming “endless loops” for slide-shows, media presentations in kiosks or powerpoint-like presentations. The advantage is that outside of pulling the power plug, there's no way to shut it off.
Add an AutoAdminLogon registry entry to the same WinLogon key in HKLM with a RZ value of “1”, put the DefaultUserName and DefaultPassword entries in the same key with the Victim's user name and password and you're all set. So the next time the power is plugged in, there it goes.
This is an excellent technique to use when scripting some sort of automated process that absolutely, positively has to be done exactly right. If the user manages to shut it down it starts right back at the beginning and runs all the way to the end. When the process has reached conclusion, put a shutdown.exe command in the batch file to shutoff the computer.
It might also be a way to torture terrorists. Put Windows Mediaplayer on it and force the terrorist to watch a SpongeBob SquarePants cartoon over and over again. Just don't give him earplugs or a keyboard and he'll tell you what you want to know in hours.
Basically setting up a custom User Shell has been fairly well documented. It takes changes to 2 registry keys, one in HK_Current_User and the other in HK_Local_Machine. The Local_Machine key opens up Pandora's box and the Current_User key puts something in the box. I would suggest that the User account be a Limited Account, not an Administrator.
First log-on as the intended victim, uhh make that User and open Regedit.exe and change HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” value to an executable BATCH file. This entry must be a RZ or a single string and must contain the full path if its not on the User's path variable. So something like this: “c:\folder name\surprise.bat”. The use of double quotes is suggested for paths that include folder names with spaces.
Surprise.bat can be any executable you would like to drive the User crazy with.
A one line batch file is all you need like:
cmd /c “c:\folder name\surprise.exe”
Make sure to put whatever command line options you need inside the right-hand quotes. The batch file can be as long and complicated as necessary. Just make sure that all of the executables and other files necessary are where the batch file says they are. Once the batch file starts, the usual Control-Alt-Delete doesn't work. Control C will sometimes stop the program BUT it goes right back to the beginning and begins again.
Now log off and log-on again as an Administrator.
Now what makes it nuts is to set the System to allow custom shells. Start Regedit again, go to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\System.ini\boot\shell
Change the Value to be:
USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note that the string value starts with USR:Software.
Reboot and let the fun begin.
Every time the vic---User logs on, the program in the batch file starts. Every time the user manages to stop the program, it restarts. The magic cookie is the Batch file. Since the system considers a batch file to be part of the cmd shell it executes it. When the program is stopped it returns to the registry to restart the shell. Which is the batch file that just got terminated. This same behavior is what restarts Explorer when you've stopped the Explorer process in the Task Manager window or more likely it blows up all by itself.
This has some really nice properties for programming “endless loops” for slide-shows, media presentations in kiosks or powerpoint-like presentations. The advantage is that outside of pulling the power plug, there's no way to shut it off.
Add an AutoAdminLogon registry entry to the same WinLogon key in HKLM with a RZ value of “1”, put the DefaultUserName and DefaultPassword entries in the same key with the Victim's user name and password and you're all set. So the next time the power is plugged in, there it goes.
This is an excellent technique to use when scripting some sort of automated process that absolutely, positively has to be done exactly right. If the user manages to shut it down it starts right back at the beginning and runs all the way to the end. When the process has reached conclusion, put a shutdown.exe command in the batch file to shutoff the computer.
It might also be a way to torture terrorists. Put Windows Mediaplayer on it and force the terrorist to watch a SpongeBob SquarePants cartoon over and over again. Just don't give him earplugs or a keyboard and he'll tell you what you want to know in hours.
Previous
